Re: How to restrict access to FTD management interface.

Grzegorz86 · ‎09-21-2021

Hi,

I am trying to restrict SSH access to the management interface of the FTD device.

Can someone share the correct procedure?

Platform settings apply only to the data interfaces and the management interface is still accessible.

I tried applying ssh access list from CLISH but that did not work either and the device is still accessible from any IP.

  > configure ssh-access-list 10.0.0.0/8

We are running FXOS version 6.7 on FTD 2110 managed by FMC on version 7.0

Marvin Rhoads · ‎09-21-2021

That's the proper command. There was a bug with it back in 6.2.x but that should be fixed on 6.7 and 7.0

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve55973/?rfs=iqvred

I tested it on my device and it appears to work as expected (prevented me from accessing the device from a non-10.0.0.0/8 address):

Grzegorz86 · ‎09-21-2021

Hi Marvin,

Thank you for your reply.

I just did some more checks and can see that my ACL is applied. However, I have two permit any any statements at the beginning and the end of ACL. Please see redacted entries below.

show ssh-access-list
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- ---- anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- --- anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- --- anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- ---- anywhere state NEW tcp dpt:ssh
ACCEPT tcp anywhere anywhere state NEW tcp dpt:ssh

How can I modify it to get rid of the any any statements?

Marvin Rhoads · ‎09-21-2021

You should be able to enter a replacement with just the networks you want:

configure ssh-access-list <entry_1>,<entry_2>,<entry_n>

That will replace the existing entries.

Grzegorz86 · ‎09-21-2021

That's what I did.
I configured acl in the format

Configure ssh-access-list 10.1.1.0/24,10.2.0.0/24,172.16.0.0/16

Unfortunately, permit any any entries are still retained.

Marvin Rhoads · ‎09-22-2021

I tested on my system it worked as I described. See my output below:

> configure ssh-access-list 10.0.0.0/8

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT     tcp  --  10.0.0.0/8           anywhere             state NEW tcp dpt:ssh
> 
> configure ssh-access-list 10.0.0.0/8,172.16.0.0/12

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT     tcp  --  10.0.0.0/8           anywhere             state NEW tcp dpt:ssh
ACCEPT     tcp  --  172.16.0.0/12        anywhere             state NEW tcp dpt:ssh
> 
> configure ssh-access-list 172.16.0.0/12

The ssh access list was changed successfully.

> show ssh-access-list
ACCEPT     tcp  --  172.16.0.0/12        anywhere             state NEW tcp dpt:ssh
>

Grzegorz86 · ‎09-22-2021

Thanks, Marvin

It does not work for me in production.

It works fine in the lab but I am using a different version there.

When I configure ACL it does not remove entries but just duplicates them and add to the bottom of the ACL

Another thing is I cannot even disable ssh access completely.

After issuing configure disable-ssh-access access is still there and ACL is not being removed.

It disappears from the config and ssh access is restricted as expected when I test in LAB.

I must be hitting some bug and will raise that with cisco.

Grzegorz86 · ‎09-30-2021

Hi,

I thought I will share the update for anyone who has the same issue.

Basically, we were hitting the below bug.

CSCvx71156 - access list is not working on 6.7

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvx71156

Cisco TAC came up with a workaround involving logging in to expert mode, a manual edition of iptables and iptables service restart afterwards.

This fixed the problem and we were able to restrict access as required.

Marvin Rhoads · ‎09-30-2021

Thanks for the update - I hadn't encountered that bug before.